Hacker News new | past | comments | ask | show | jobs | submit login
Confirmed: CMU Attacked Tor, Was Subpoenaed by Feds (vice.com)
430 points by danso on Feb 24, 2016 | hide | past | favorite | 160 comments

To me the most bizarre part of this story is the argument that this didn't constitute an unlawful search because there is no reasonable expectation of privacy for Tor users:

> [...] it is the Court's understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses [...] such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy [...]

They're giving over the information to a third party, which usually destroys any 4th amendment rights.

The fact that the third party was actually three different parties who only got a piece (or six, when using hidden services) doesn't seem like it would change the law.

If I split data into 6 pieces and handed it to 6 different people, the government can take those 6 pieces and put them together without violating my rights. I don't see why Tor would be any different.

In fact, this particular vulnerability IIRC involved the researchers acting as both the exit node and the guard node, and finding a way to pass a message between the two so they'd notice when they're in the same circuit. That seems even better legally than my analogy above. They didn't need to take any data, the victims connected to them and gave them the info.

The Constitutional argument is supposed to be based on reasonable EXPECTATIONS of the people involved. So, for example, when most phones were party phones, people didn't have a reasonable expectation of privacy and no warrant was needed to tap phone calls. This was what was decided in Olmstead v. U.S. in 1928.

At a later date, private phones became the norm. And so in Katz v. U.S. decided in 1967, warrants for tapping phones were held to be required. That is because people's expectations of privacy had changed.

In the case of TOR, people were using a service that was advertised as being designed by the NSA to protect your online privacy EVEN IF you were under attack by state actors. In fact it was widely advertised that all anyone could know is that you were using TOR, but nobody would know what you were doing with it, who you contacted, and so on.

What do you think would have been a reasonable expectation in 2014? That using TOR meant your communication was private, or publicly available?

That advertising was false, and Tor project developers have specifically said that it's not intended to defend against global adversaries like the NSA.

I wonder if false advertising can create a legal expection of privacy. What if I sell a red filter for you to hang in your windows, and advertise that it protects against anyone seeing through. But you can just apply an anti red filter to a camera and see perfectly. Is the government allowed to do that? (I don't particularly understand optics, and this likely doesn't actually make sense, but you hopefully get the idea).

An argument can be made that if someone's using something they don't understand, they shouldn't have a reasonable expectation that it's as described, especially if they aren't paying.

Many people have misconceptions about VPNs as well. That doesn't mean the data they willingly hand over is reasonably expected to be private.

(If there's precedent for a false advertising interacting with the third party doctrine, I'd be interested in seeing it.)

> That advertising was false, and Tor project developers have specifically said that it's not intended to defend against global adversaries like the NSA.

That line of reasoning would mean there is no "reasonable expectation of privacy" ever, against global adversaries like the NSA.

They even advertise it themselves "Total Information Awareness", "Nothing is beyond our reach", etc.

And this is why codified law is nice.

Honestly, someone using Tor should know that your communication details are being held by exit nodes. Isn't it kind of common among the community to not trust your exit nodes?

I would say that the assumption is that your communication is public.

Someone using TOR should know that exit nodes will know that you used TOR, but by design they are not supposed to be able to find out who you were talking to, or what you were talking about.

The general assumption back when Silk Road was created was that TOR itself was safe, and the most likely way to be discovered was for your personal machine to be compromised. This belief was only strengthened by the FBI's repeated failures to take down Silk Road.

Heck, this was still a widespread belief AFTER Silk Road was taken down! For example http://motherboard.vice.com/read/the-fbis-deep-web-raid-seiz... quotes a security researcher who came to the conclusion in late 2014 that the FBI was just scanning TOR, and TOR itself had not been compromised.

For a comparison to phones, the Supreme Court has held that a list of people you called is not protected, but the contents of your phone calls are. Similarly I think they should rule in this case that the fact you're using TOR is not protected, but the details of what you were doing on TOR is covered by the 4th amendment.

By design, if the three or six nodes that you used compare notes, they can tell who you were talking to. That seems roughly the same as breaking a key into 6 parts and giving it to 6 different parties. I think the government would be able to go to each party and ask for their part, then put them together. Therefore, there's no expectation of privacy.

What actually happened is the researchers found a way to bypass the middle guy and reconstruct the info just from the two ends. That's still just comparing notes, but from fewer people.

Yes, I know how it was broken. But the question is what the expectation should have been. And given that expectation, then whether they should have had a warrant.

In our surveillance society, the government's theory is that it should never need a warrant, because terrorism. I strongly oppose that theory. I'm OK with taking down Silk Road, but get the warrant first.

It is reasonable to assume that you are attempting to keep the information private. It is reasonable to assume that the US govt would not hack the information on that basis. If you assume it's public, why the hell are you using TOR at all? Use of TOR shows the assumption pretty clearly.

if you're attempting to keep the information private, you're not doing a good job by handing it to a third party.

Expectation of privacy is kind of based around self-incrimination, and you lose a lot of those when you hand information to a third party.

Even if it's "public" (in the legal sense of 'not protected'), Tor can be useful against non-state actors, or against weaker state actors.

I'm not saying there isn't a colloquial expectation of privacy, but that the jurisprudence on privacy doesn't apply to Tor (or at least, that there is an argument that it doesn't).

You could also say if you don't want people photographing your genitals, don't use a third-party restroom or dressing room or tanning salon. The expectation of privacy really has (or should have) nothing to do with the existence of someone's ability to violate that privacy.

I agree with you emotionally, but question your argument legally. What, 'is,' and what, 'should be', are rarely the same thing.

If government wants something forbidden, it creeps towards it. Expectations are meaningless without threats.

>They're giving over the information to a third party, which usually destroys any 4th amendment rights.

Same reason that there is no need for a warrant to collect phone calls since you are handing data over to the phone companies to carry between you and the other party(ies). Also the same reason the government can shift through your mail, since the items are in the possession of a third party (you likely gave the items to the government itself).

To me this makes as much sense as the argument that since a plane carrying people can fly over you, it is perfectly reasonable to put a blimp with an extremely high zoom camera on that spies on your home constantly, detecting not just visible light, but also infrared. Also, since when you talk things vibrate, and since it is possible to view those vibrations though a window, I'm actually broadcasting my speech to the public and thus don't have any expectation of privacy.

These issues have actually been litigated in court. The broad consensus is that yes, the police can use a surveillance plane can take pictures of you without first obtaining a warrant (Florida v. Riley), but no, they can't use infrared camera to look inside your home without a warrant. (Kyllo v. United States)

None of these cases are really analogous to the Tor case. Generally speaking, you have no reasonable expectation of privacy that information that you voluntarily provide to a third party will be kept confidential. This is why the police doesn't need a warrant to get your phone records or to obtain your IP address.

You bring up mail, which is an interesting case. Conents of a sealed mail IS protected by the Fourth Amendment - it's just that the government usually relies on the "exigent circumstances" exception to the warrant requirement (basically, showing that there is probable cause to search the mail but that there is no time to obtain a warrant). The government can't just mass-open all sealed mails and look at their contents.

It's probably worth noting that Kyllo is one of the cases where the recently deceased Justice Scalia's "conservatism" produced a decision favorable to privacy advocates:

  We have said that the Fourth Amendment draws "a firm line 
  at the entrance to the house," Payton, 445 U. S., at 590. 
  That line, we think, must be not only firm but also bright— 
  which requires clear specification of those methods of 
  surveillance that require a warrant. While it is certainly 
  possible to conclude from the videotape of the thermal 
  imaging that occurred in this case that no "significant" 
  compromise of the homeowner's privacy has occurred, we must 
  take the long view, from the original meaning of the Fourth 
  Amendment forward.

    "The Fourth Amendment is to be construed in the light of 
    what was deemed an unreasonable search and seizure when 
    it was adopted, and in a manner which will conserve 
    public interests as well as the interests and rights of 
    individual citizens." Carroll v. United States, 267 U. S. 
    132, 149 (1925).

  Where, as here, the Government uses a device that is not in   
  general public use, to explore details of the home that 
  would previously have been unknowable without physical 
  intrusion, the surveillance is a "search" and is 
  presumptively unreasonable without a warrant.

Just to add a bit more information, the Kyllo v. US case was decided based on what a person would reasonably expect a member of the public to own.

Many people have planes that fly about, drones or whatnot. So you could expect random members of the public to have ways of taking arial pictures of your house. Therefore those do not violate your right to privacy.

It's very unlikely for a member of the public to own a helicopter with an infrared camera, so using it without a warrant is a violation of privacy.

The basic example used by a court is binoculars. Most people have access to binoculars, and own them. So if you do something next to your window, police can totally look through your windows with binoculars and act on the information.

A helicopter with an infrared camera costs about $100.

I believe he is referring to a thermal imaging camera, which can see heat sources. They're still somewhat an expensive specialty item. The police used to use them to look for people growing marijuana in their attics, but higher courts now say that would require a warrant.

He may be, but over the last few years some models have come out with much lower prices: http://appleinsider.com/articles/14/11/23/review-flir-one-an...

I wouldn't be surprised if there are usable thermal imaging sensors out there for $100.

Note that this is only talking constitutionally. The government is free to pass laws that disallow such gathering, or simply not pass laws that allow it.

IIRC collecting mail is not in fact legal without a warrant, and only photographing the outside (which anyone who handles it can see) is allowed.

I do think the fact that any member of the public can collect data legally means the government should be able to as well.

> To me this makes as much sense as the argument that since a plane carrying people can fly over you, it is perfectly reasonable to put a blimp with an extremely high zoom camera on that spies on your home constantly, detecting not just visible light, but also infrared. Also, since when you talk things vibrate, and since it is possible to view those vibrations though a window, I'm actually broadcasting my speech to the public and thus don't have any expectation of privacy.

I doubt anyone is making that argument; in Kyllo v. United States the Supreme Court held that infrared cameras constituted an unreasonable search. Recording vibrations would also likely fall in the same category.

Police spying on you from a blimp is fairly unlikely, since it would be fairly conspicuous, not to mention expensive. Far more likely they just stick a camera on a utility pole as in the recent United States v. Houston, what you're most likely alluding to. The Sixth Circuit did uphold that tactic, but the law is far from settled there.

>Police spying on you from a blimp is fairly unlikely, since it would be fairly conspicuous, not to mention expensive. The Army is actually doing this: https://theintercept.com/2014/12/17/billion-dollar-surveilla...

The scary thing about those blimps is that we used exactly those in our various warzones. Look for them in pictures of Kabul or Baghdad while Americans were there. I used to joke to buddies in my unit that it was even the same contractor sitting in the trailer where the blimp is anchored, watching the video.

Looks pretty conspicuous to me, and also extremely unlikely to be used for sustained surveillance of a person. Also sounds likely to be discontinued when funding runs out. A load of hot air, in other words.

I recognize the similarity between phone calls and Tor; however, I too think there is a difference in the expectation of privacy.

I like your analogy with aerial surveillance, but partially because I think you are wrong. It is my understanding that aerial views available to the public, such as those available to a commercial helicopter, do not require a warrant. However, if the police go beyond public capabilities with high zoom cameras it may require a warrant. Similarly, if the state goes beyond the capabilities of the public in obtaining my IP address, they should require a warrant. The question then becomes, "Does the CMU project constitute knowledge generally available to the public?" I would argue the negative, but I could see it answered either way.

It doesn't need to be available to the public, only available to third parties. There are a finite number of people (either 3 or 6) that together have all the data needed to identify the user.

I'm not a fan of the third party doctrine, which IMO badly needs to be updated. To me, it seems like a runaround/copout.

So much of our data today is held in the cloud that it amounts to open season for data acquisition. And for data that isn't, what's there to stop a governmental agency from using the All Writs Act to compel data movement/redirection to a third party site?

Just because something is technically legal today, doesn't mean it's the right thing to do.

Third Party doctrine isn't a runabout. It's inherent in the text of the 4th amendment:

> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated...

Information I have about you is not your information, and you can't invoke the 4th amendment to protect it. Data held in the cloud is different. At least arguably, you have a property right to that data even if a cloud provider is holding it for you. You can't say that about IP addresses, IP address logs, call data records, etc. That's the company's data about you. You have no property interest in it, and mostly you don't even have access to it.

So let's work through a scenario here.

Assume you are Verizon (or any other carrier). I pay you for cell phone voice & internet service. As part of that exchange, I provide billing info etc. etc.

Are you saying that I don't own said information and that you are free to derive additional revenue by selling it to someone else? To me, I paid for a service, thereby a single transaction. My expectation is that as part of that transaction, the other party should not have to the ability to derive secondary benefit without explicit consent. Particularly, since I don't see any upside to secondary/tertiary usage.

I guess I'm much more for the European vision of personal data privacy (you own your own data and grant it for specific use) vs. the US version (anything goes).

You can't own facts (such as the fact you live at 123 XYZ Street or that you made a 4 minute call last week to your mother). You can own documents (digital or otherwise) containing facts. But the documents you're talking about here are Verizon's database files. You have no right to them.

I'm not familiar with European data privacy laws, but I imagine they're like U.S. privacy laws in the sense that they're not based on ownership. E.g. it's illegal for schools to disclose your educational information to third parties. But your student records are still the school's records, not yours.

EU style grants much more in terms of data ownership for an individual. So, comprehensive vs. patchwork coverage.

From the EU DPD (1 of 2 key documents),

"Pursuant to the Directive 1995/46/EC, the data controller should ensure compliance with several principles relating to data quality. These principles include: (1) the collected data should be processed fairly and lawfully; (2) the collected data should be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (3) the collected data should be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed; (4) the collected data should be accurate and, where necessary, kept up to date, and; (5) the collected data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed."

* http://resources.infosecinstitute.com/differences-privacy-la...

* http://politicsandpolicy.org/article/european-union-and-inte...

* http://www.nbcnews.com/id/15221111/ns/technology_and_science...

* http://privacylawblog.fieldfisher.com/2014/how-do-eu-and-us-...

* http://www.wsj.com/articles/SB100014241278873243386045783283...

PS. This is not a wholesale endorsement of EU style privacy, there are things that need to be fixed too but IMO is much more respectful of the individual in general.

Wouldn't it make sense to consider that, for instance, my dropbox or google accounts are amongst "my effects"?

Yes, in a sense I'm handling data to a 3rd party, but in another sense they're just today's notebooks and drawers.

It would but that's not how US law is being interpreted today. That's what I would like to see fixed.

No, the EULA for those services is also quite explicative about this.

I haven't looked at these EULAs for a while, but didn't Google Docs' EULA basically reserve the right for Google to publicly display your document whenever they wanted? http://www.cnet.com/news/does-google-own-your-content. Something like that would, in my opinion, squarely take something out of the scope of the 4th amendment.

It's tricky, basically once you have stored those documents on a 3rd party service you have effectively shared them with that party.

The government can request or compel that party to disclose that information they do not have to go through you any more, this means that you can't claim 4th amendment rights as you aren't even "involved" in the process.

The lack of proper data protection laws (such as the ones in the EU) are clearly starting to show how just having vague constitutional interpretations isn't enough to actually protect your information.

Remember, this is only constitutional limits. Congress is free to pass laws preventing such collection, as they in fact did with the Freedom Act, banning phone metadata collection.

We don't consider handing a letter to the USPS "giving over the information to a third party," so we have an example to apply to other supposedly third-party information that is really first-party information temporarily handled by, but not intended for, a third party.

Actually when you give USPS a letter you are giving the recipient's address, and optionally yours, by writing it in plain text on top of the envelope. The same argument could be made about IP addresses. By connecting to a Tor node you are willingly giving your IP address.

There is evidence that the USPS has been logging all that metadata.



I'm not saying that it's right but it apparently is happening.

The USPS can't read the letter without breaking the seal. That's different from Tor, where the three parties can team up and exchange data, and they'll know who visited what, without breaking any seal.

If the mail is unsealed, they're allowed to open it. See https://www.law.cornell.edu/cfr/text/39/233.3

I can very easily call any of the layers in a secure connection a "seal". Besides, it's an analogy to demonstrate that there are things that are considered private while in a third party's control, not a literal point-for-point template for how to design privacy law for the Internet. The third-party doctrine does not match any non-lawyer's expectations, and it's the doctrine that needs to change, not just people's expectations.

They can read the mail through the seal using the shirt off tech used by archaeologists to read rolled up scrolls.

Surely the point is when sealed there user expects privacy just as seven using Tor a used expects privacy - in both cases there is a system in place to protect the content from being simply read. That the technical solution used can be overcome doesn't change the users expectation that the 'seal' will mean the content is carried without being read.

The fact that all relays working together can determine the information means that the user gave up the info. If the US were to operate all three relays, would you still consider collecting that data to be illegal?

"Consider...illegal" sounds like a trap. It should be illegal, and is definitely wrong.

Should it be illegal for a private person to do so? If it's legal to run a single relay, what changes when you spin up more?

Yes, it should. It's illegal for a private person to steal unencrypted cable, it's illegal for a private person to spin up a bunch of servers to siphon information from a corporation's computers, it's illegal for a private person to tap into someone else's unencrypted phone calls, etc.

All of those are illegal under the CFAA, because they accessed a computer without authorization. In this case, every use of a computer was authorized.

If someone's calling up random numbers and talking into them, my predicting which number they'll call and buying it, then listening to it doesn't violate any laws (although you can argue it should).

The CFAA has nothing to do with stealing cable or tapping phones, both of which existed (and were almost certainly illegal) before the CFAA and before digital cable or digital phone systems.

Regarding buying random phone numbers, I'd say again, analogies are only useful to demonstrate the existence of an area of law in which something is legal or illegal, but not useful for designing in detail the laws governing digital/networked activities. There's not a sufficient parallel to make any decisions based on any analogy to a previous situation or technology; there's only enough parallel to prevent closing off the discussion of making privacy violations illegal by saying "it's not".

I think the argument I summarized in https://news.ycombinator.com/item?id=11171344 is reasonable. In a nutshell, they say that we should apply the third party doctrine as if we're in a world without third parties. So in the tor case, if they would need to manually transfer information, then the identity of both people would be known. The basic intuition is that technology shouldn't allow more hiding. (This is a simplification, read the sources to understand the point being made.)

>They're giving over the information to a third party, which usually destroys any 4th amendment rights.

By that argument mail, courier, landline phone, cellphone, satellite phone, email, web chat, SMS, and everything except face to face speech aren't protected.

Legally, I suspect that's a bit of a reach.

And one cannot use the Internet at all without giving over information to a third party. I'm going to go ahead and say we've all been "dirt roaded" by this interpretation since now we can't even watch the modern equivalent of TV without "giving away" our privacy under it. That is a step backwards to say the least.

So when I send data over the internet, am I "giving" it to everyone who owns a router along the route? I wouldn't say so.

They can all read it, if you're using http. In what sense are you not giving it to them?

Even on https, they can see who you are and who you're visiting.

The USPS can read my mail, but I am not giving it to them (legally or morally).

Also, tor isn't HTTP. It's quite heavily encrypted.

The only relevant information being used by the government is who visited what site. (If this is incorrect, let me know). That corresponds to the outside of letters, which the government can read legally without a warrant.

The outside of letters isn't encrypted. The destination in Tor is encrypted by design to everyone who is expected to know who you are. It's literally the purpose of Tor to make that information private.

Or to put it a different way, if Tor doesn't create a reasonable expectation of metadata privacy, what would?

>Or to put it a different way, if Tor doesn't create a reasonable expectation of metadata privacy, what would?

According to the theory put forward in the second part of http://www.abajournal.com/magazine/article/the_data_question..., nothing.

How does the absurdity of that result not serve as its own refutation?

Why is that absurd? The theory is well defined and defended.

The theory doesn't work. It's based on the idea that if you go out into public the police could traditionally have followed you to see where you go.

Which isn't actually true. They didn't have the resources to follow everyone everywhere all the time. And if they were following you, it was possible for you to observe them. There are methods to detect a tail, so you could employ them and then not go to the secret place until there is no one watching. To maintain "technological neutrality" it would require there to exist equivalent digital methods for people to use to prevent being observed.

Kerr's whole premise of technological neutrality is also questionable unless you apply it both ways. But does it really make sense to say that the police can't use fingerprints or DNA evidence because it wasn't traditionally available? How does that framework make any sense at all?

>There are methods to detect a tail, so you could employ them and then not go to the secret place until there is no one watching. To maintain "technological neutrality" it would require there to exist equivalent digital methods for people to use to prevent being observed.

Honestly Tor seems like a great analogy here. It makes it far more difficult to be observed, but it's fallible, as is trying to spot a tail.

But the question isn't whether someone could use a welding torch to break into your safe, the question is whether you have a reasonable expectation of privacy.

Because the consequence isn't that the police can't get the information, it's only that they need a warrant first.

So does this apply to encrypted information coming into my home such as cable TV? Encrypted wifi? Cell phone signals?

I believe the argument is more focused than that: there is no expectation that one's IP address is private when the process of connecting to a server involves disclosing the IP address as the respond-to destination. I have a hard time seeing a flaw in that reasoning.

Why do they specifically mention the fact that the Tor Project warns about possible vulnerabilities?

There's a reasonable expectation of privacy in a hotel room, for example[1]. To me this argument reads like: "The hotel owner cannot guarantee that a previous patron hasn't left a listening device in your room, so there's no reasonable expectation of privacy."

[1]: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1718669

You have a reasonable expectation of privacy inside an abode. If a patron left a recording device, they likely would be in violation of Federal and/or State laws.

The same could be said for certain vulnerabilities in Tor: Exploiting them could be illegal under the CFAA (unless you're a LEA with a warrant).

The whole Internet Protocol is based on sending packets with your public IP, by a stretch of that logic are we supposed to understand that no privacy should be expected on all of the Internet? This argument seems sketchy at best.

That seems like a decent assumption to me. When your IP talks to another on the Internet, you no longer have any control over the metadata of that connection. It will show up in the logs of the other IP, and the owner of that IP is free to do anything with those logs.

It seems far more naive to assume there is an expectation of privacy on the Internet.

So the government mining of all meta data sent to any third party (including all texts, phone calls, and internet usage) is fine? Also, what about the data itself. You are putting the data on lines you don't own, so that is all fine too, no?

I think you've just stumbled across the crux of the government's position regarding PRISM.

To provide a contrasting example: GCHQ tapped fiber-optic lines between corporate datacenters. Those lines are not public and are therefore not supposed to be up for grabs; tapping them without the consent of their owners is an espionage activity.

Attaching to an open network that fuzz-routes data and then cheating on the policies of that network that are intended to anonymize the requesters of the data is just good old-fashioned protocol circumvention. Definitely rude and demonstrative of a major practical weakness in tor, but probably not illegal. It doesn't sound like there was any law for SEI to break here (though I hadn't heard the suggestion that the CFAA might apply, which is an interesting legal angle to explore).

are you going to tell me that if I did did same thing I wouldn't be accused of hacking by the US government. That seems doubtful.

That's why you encrypt your data, and assume it is not secure if it is not encrypted. "Here, third party, please have my meaningless binary blob. You may do with it as you wish. Thank you for transiting it across your network in accordance with the TCP/IP protocol."

Third party: "You're welcome! Since you seem to be very interested in that specific subject (the destination IP address happens to map to a site specified for that subject), we sold this information to Google and they will now show more ads regarding that subject."

No, seriously. I believe it is good practice to encrypt all data over all kind of wires (public or not). However, most of the time, we do not encrypt metadata, which can be just about as useful as the actual data (and way easier to analyze). Do you really think that any government cares much about what you say to a specific person? They only care that you talk to that person, when you talked to that person, and how frequently you talked to that person. The same goes for almost anything. If your ISP were interested in your data, they would actually value metadata a lot more then the actual payload because metadata can be analyzed quite easily and reliably.

Tor was (and still is) your only protection against these kinds of attacks because your ISP only knows you're talking to some Tor nodes, the Tor nodes can see very few of the websites you visit (or email recipients you send to) because you will use another nodes for the next website/email, and the website will not know who you are if you don't authenticate because many requests can come from that Tor node.

Seems like Tor is demonstrably not as good protection as people hope it to be. Hm.

Please remember that Tor has since fixed these bugs. What is important, though, is that nobody (not even the government) should be allowed to legally decipher _all_ (or most) of the traffic going through a network/service.

We could say the same for HTTPs, because it also had its fair share of vulnerabilities.

Yes, but in the case of onion routing, the IP address is masked by layers of the onion.

It's understandable that Layer 3 knows Layer 2, that Layer 2 knows Layer 1 and that Layer 1 knows the originator.

But Layer 2, 3 and the website should not know Layer 1 by design. Defeating this is akin, IMHO, to circumventing a lock by photographing the key that you don't own.

That seems like a slightly different legal argument that breach of privacy though.

Not at the base layer, not at all. That's why commercial traffic is handled by secure encryption, and not an elaborate fabric of internationally-agreed-upon laws that will assign fair and standardized punishments to people for snooping each other's IP packets on an open wifi router without permission of the packet sender.

Well, at least in who you talk to. You can encrypt the content.

Perhaps like visiting your cult friend. You have an expectation of privacy for what you say in his house, but the fact that you traveled to his house does not have an expectation of privacy.

What privacy can you expect? Do a tracert to see the reporting nodes that your packets talk to before getting to their recipient. All of those nodes know about your packets, as do whomever are running them.

No, avoiding the need to disclose one's IP address is the entire point of Tor! Yes, the Tor project does warn about ways in which this could fail. It does this in the tone of a lock-maker warning about power drills.

You're cutting out the most important parts:

> The Court agrees with the government that applicable Ninth Circuit authority precludes the defendant’s success on his motion. SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny. The Court reaches this conclusion primarily upon reliance on United States v. Forrester, 512 F.2d 500 (9th Cir. 2007). In Forrester, the court clearly enunciated that: “Internet users have no expectation of privacy in ...the IP address of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information.” Id. at 510.

> In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

> [...]

> The evidence before this Court indicates that SEI obtained the defendant’s IP address while he was using the Tor network and SEI was operating nodes on that network, and not by any access to his computer.

SEI got the IP addresses because the Defendant's computer communicated that information to SEI.

You can imagine that the briefing went something like this:

Government: there is no expectation of privacy because connecting to Tor involves giving out your IP address to random people on the Internet.

Defendant: but the purpose of Tor is to hide your IP address from anyone that might matter.

Government: well obviously that didn't work because we figured out his IP address.

The point of vulnerabilities isn't the basis for the Court's opinion--it's just a rebuttal to the idea that Tor is supposed to keep your IP address secret even though it necessarily involves giving it to at least some untrusted nodes.

Huh. http://www.theatlantic.com/technology/archive/2013/12/what-y... says

>Importantly, my defense of the third-party doctrine implies an important limit: The doctrine should apply when the third party is a recipient of information, but it should not apply when the third party is merely a conduit for information intended for someone else.

Sourced from http://www.abajournal.com/magazine/article/the_data_question...

The linked argument (which is one half of a debate), argues that the third party doctrine should apply to things that you wouldn't be able to hide without third parties. So metadata is covered, because you can't hide who you communicate with, but content is not. The data collected here is metadata (who connected to the site), so it seems they would consider it collectable legally.

IP addresses are routinely subpoenaed. Ask the operator of any popular file sharing site how many subpoenas they get from copyright lawyers. Some large ISPs have entire departments dedicated to servicing subpoenas from law enforcement.

Just because you used Tor doesn't make your IP address invulnerable to subpoena.

If I connect through 7 proxies and do something illegal, my IP is no less subject to subpoena than if I weren't to use a proxy at all.

If I stand in my front yard, in view of my neighbors, put on a mask, then I go rob a store, wearing that same mask, I don't have a reasonable expectation of privacy as to my identity while wearing the mask.

This case is far less controversial than the recent one where the FBI hacked all the pervert's computers. It may be an issue of ethics at CMU, but, not an issue with 4th/5th amendments.

Can someone tell me where to have a reasonable expectation of privacy?

When you speak to a doctor; when you speak to a lawyer that you're paying for.

Speaking to a medical doctor isn't necessarily confidential. I believe there are some categories of things that doctors must report to authorities, and that varies from US state to state.

Wikipedia says: "In the United States, the Federal Rules of Evidence do not recognize doctor–patient privilege."

Would it help if I buy internet access from my lawyer?

But not if you're speaking to them over the Internet.

Right. If you're doing that, I'd recommend making sure that the tools you're using to communicate with them can encrypt your messages and their messages using some protocol that only the intended recipient can reverse. Public-private key encryption seems to generally be a good approach.

Look for the "padlock" icon in your browser before talking to your doctor about Viagra. ;)

Even off the Internet, the fact that you talked to your lawyer isn't necessarily protected even if the content of the conversation is.

Add Priest

Only if you're a lawyer... and you're their lawyer... and you're talking about their legal matters.

Everything in your own head is still pretty much private, for now. Give it some time, though, and FMRI will be reading thoughts (and the government will be compelling people to get scanned).

From Tor's front page:

What is Tor?

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

So, if the users of a service whose explicit mission statement is to provide anonymity and privacy apparently do not have "reasonable expectation of privacy," who does? Are they going to argue next that the private owner of a wifi-capable laptop has no expectation of privacy in their own home because the webcam could be conceivably hacked and remotely activated?

Since they didn't verify all code on the laptop, and since the EULA said that they don't actually own the code, only rights to use the code, then there is no reasonable expectation of privacy using the laptop.

There's no absolute expectation of privacy on the laptop. There's definitely a reasonable one, unless someone wants to argue that a layman independently verifying every bit of code and every silicon gate in it is "reasonable".

Is there a reasonable expectation that my new car won't explode when I turn the ignition, if I haven't stripped and rebuilt it to verify every part?

So anyone using a computer with any proprietary software on it has no expectation of privacy?

There is no clear line where total privacy starts and ends with technology currently available on the consumer market. Even if you don't use any proprietary software at all (which is very difficult to do for most people), your privacy could, in principle, still be compromised by the underlying hardware.

> Jones claimed that IP addresses, and even those of Tor users, are public, and that Tor users lack a reasonable expectation of privacy.

This is an interesting judgment. Tor's purpose is to provide privacy. The fact that it may have vulnerabilities (as all software does) doesn't mean that a person using Tor doesn't expect that it will provide them with privacy.

I think you're conflating two different points. Just because providing privacy is Tor's intended purpose doesn't mean it's reasonable to assume it provides privacy in the 4th amendment sense, when it still involves sending your data to Tor nodes. The argument is that public IP's are inherently not private because you have to give that information up to a separate entity to make any sort of communication. I'd wager that's the "vulnerability" they're referencing - That you don't know who is running the Tor nodes, and by extension can't assume your IP will stay private if you're freely giving away your IP address to them.

By voluntarily giving that information up, there is no reason to expect that the Tor server you're connecting too will keep that information private anymore then a Facebook server would, even if we would like/hope that to be the case. The person who owns the Tor server is well within their rights to keep a log of every IP connected to their server.

You also have no control over the node which makes the actual connection to the outside world - In which case that server can equally log anything it wants about that connection. If the same person controls both servers and puts two-and-two together and figures out you made a connection to website X, they haven't violated your 4th amendment rights because you voluntarily gave that information up by connecting to the Tor network without checking who you were giving that information too.

Tor's intended goal is to provide privacy, but that doesn't mean it gives you a legal expectation to privacy, which I think is what they're getting at. The reality is that third-party entities that can do whatever they want with the data you voluntarily give them - The fact that they're Tor nodes doesn't change this.

I somehow doubt that if I as an individual performed these actions the government would hold back from charging me under the CFAA.

That's because you aren't backed by thousands of men in black uniforms with automatic weapons. And that's what it's really about.

Yes, it seems like a rather naive construction. Analogously your email server might have vulnerabilities, therefore you have no reasonable expectation of privacy for any emails you have stored there.

Why isn't the first line of the Tor EULA or info page (and I wondered the same about Lavabit email) "This software/service is intended to provide its users a reasonable expectation of privacy under US and international law." Or some such. It's unreasonable to expect every user of a tech service to understand how it all works so they can know their level of legal protection. Phone taps require a warrant even if the phone user doesn't know how switching or tapping works.

What's wrong with this idea?

(Not a lawyer but) I don't think it legally holds any water, once your data is out on the public network it's out on the public network.

It's the electronic equivalent of a sticker on your car that says "This car is intended to provide its users a reasonable expectation of privacy under US and international law."

When I make a phone call it routes through a public network. Tapping a phone is illegal due to my expectation that the call is private.

I dunno. I've seen some good arguments either way here, and I'm also not a lawyer.

I like this, because it points to addressing user silence with respect to expectation of privacy. Take your idea one step further.

Suppose Tor provided a box that users could (optionally) click to affirmatively declare they were using Tor with an expectation of privacy. Maybe this selection could be locally stored in an encrypted form so that users, if they later needed to prove they had an expectation of privacy, could show they had ticked the box declaring that.

This could provide an affirmative declaration that the user expected privacy when using Tor. Would that be useful? Thoughts, anyone?

I could put a sign on my living room wall that says "Anyone who sees this sign owes me $100." Do you think that would hold up in court?

Of course it wouldn't. Asserting something does not make it true. Your example is as trivial as mine, from a legal point of view -- you can't create constitutional rights that don't exist simply by asserting them. The courts decide where people have an expectation of privacy; you can't just create that expectation by writing it down.

But you might be able to create it contractually. Before establishing a connection with a node, exchange a sequence of packets whose contents contains an agreement that neither node will keep a persistent record of the IP address or any other data or metadata associated with the connection. Refuse to connect a node that does not send a (signed) agreement. It's still tricky about identifying the parties, etc., but it'd be interesting to explore with a techno-lawyercat.

"intended to do something" does not magically make Tor actually meet the smell test that the courts have set up.

The expectation of privacy (at least in the US) is not necessarily about what the users actually think about their level of privacy, but of what a well-informed user might expect.

A well-informed user of Tor knows its handing the exit nodes a lot of information, and thus using Tor makes what you're doing semi-public.

I wonder if that would impose liability on the tor project itself or tor node runners.

If it did, you can substitute out this SEI story with the CIA just secretly directing multiple tor node owners to run special versions of their software without notifying users.

So the information was obtained by subpoena from a university research program that is federally funded.

Thinking back to the HeartBleed incident, does this set a precedent for the government to subpoena information related to private keys that may have been exposed due to a software vulnerability and recorded as part of a federally funded university security research lab investigation into said vulnerability? Given that HeartBleed was so public, the likelihood of private keys and certificates not being revoked is pretty low. But what about the next major software vulnerability that doesn't have the same publicity?

Or extrapolating even further, what about DNA that may be collected and kept by entities receiving federal funding. Say healthcare funding? Does that entitle the government to access?

If you work in research like that - how can you sleep at night?

This is a real question - I haven't been able to ask someone directly involved in unmasking users like that.

From the perspective of a current CMU student: the Software Engineering Institute (SEI) here is the responsible party here. Note that they are separate from the main ("academic") school of CS. They are a federally-funded research and development center, essentially a computing-focused contractor and consultant for the DoD (see more here: http://www.sei.cmu.edu/about/organization/workingwithanFFRDC...).

So, in short, the people at the SEI sleep as well as the people at Raytheon or Lockheed Martin that build the drones, or the folks at Alcatel-Lucent who helped the NSA way back, or maybe even the guys way back at Los Alamos. It's not like some grad students or CS professor got strong-armed into doing this. It's literally their job to do this kind of work for the DoD and other government offices. While the ethics of this line of work are certainly up for debate, they knew exactly what they were getting into.

The subject of ethics in computer science is mostly unstudied, and broadly ignored.

When I studied it, it basically boiled down to the arguments about patents. We never discussed IBM's involvement with the Gestapo, or the Apartheid South Africa Government.

If you don't own the physical layer, sooner or later you're screwed. (My comment is not meant to reflect on the merits or dismerits of the particular use in question. It's a general statement.)

One minor thing: consider showing motherboard.vice.com as a separate domain?

Was the vulnerability made public? Was it patched?

It's covered in this blog post[1]. Some mitigations are in place now.

[1]: https://blog.torproject.org/blog/tor-security-advisory-relay...

I must admit the description is pretty opaque for me. Can someone translate this to simple english? What "subpoena" is in this context? What most likely actually happened?

I'm less interested in the courts interpretation of reasonable than why my personal liberty depends on such a subjective term. If the bill of rights is entirely subjective, it might as well say "We the people have rights.. and stuff. Y'know man?".

Note to the next framers of a constitutional republic. Include some notion of objective unit and functional tests.

We detached this subthread from https://news.ycombinator.com/item?id=11171928 and marked it off-topic.

You don't "have" any personal liberties. You are not born with rights, you are gifted them by a benevolent society. That society can easily lose its benevolence, and take your rights away, and there is absolutely nothing you'd be able to do about it.

You might hold a differing view, but the fact is, reality works as I've described. Delude yourself all you want, but your rights do hinge on the imperfect and subjective manner in which your benevolent rulers have granted them to you.

They have not granted you absolute rights, specifically laid out, but they have done better than, "rights.. and stuff."

"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. -- That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed"

-- The Declaration of Independence

In an American context, human rights are often thought as coming from a God or Creator. They are either preserved or infringed upon by the state, but aren't granted by the state. As a practical matter, just government is required to safeguard those rights.

That's the Declaration of Independence, which is a purely rhetorical document. The Constitution itself justifies itself very differently:

"We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."

And the Fourth Amendment itself, which enumerates the right at stake, specifically talks about "reasonable":

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

They might talk about "natural" rights in grade school, but that is not the reasoning that the legal system was ever buillt (not even in the 1790s!) to operate on.

>You are not born with rights

This argument is really semantic.

The line always devolve to the tautological "the only rules of the universe are physical rules"

That's not tautological at all. Also, it's not really true. There are plenty of rules. What I'm saying is the only "unalienable" rules are the laws of the physical universe. Every other rule is a construct of society and people, and as such, is not guaranteed in the way as stated by the previous commenter.

It's just something I believe is worth keeping in mind when talking about your "right to privacy", specifically. There are many prominent public figures who actually don't believe you have that right at all, and when we remember that rights (as we're referring to them) are granted only by the grace of the state, if the members of the state don't believe you have a right, then you simply don't.

The argument here should be more about whether or not it's in the state's best interest to grant the right to privacy to its citizens, and I think there's a pretty strong argument in favor of that, but simply stating "I have a right!" doesn't illuminate that argument very much.

Don't forget Bitcoin. If didn't happen on the block chain it didn't happen.

> You don't "have" any personal liberties. You are not born with rights, you are gifted them by a benevolent society. That society can easily lose its benevolence, and take your rights away, and there is absolutely nothing you'd be able to do about it.

Certainly society is a secondary concept to any strictly individual notion (just formatively speaking) - of course one starts at a point where others have already built up what is currently the case, but certainly that's not saying anything about rights being 'gifted' to an individual - only that there is a threat of violence against individuals by society for all matters not included in said 'rights'.

You're free to play with definitions as you want - but it would help if you had rather spent that time on a clear argument then on statements such as these:

> You might hold a differing view, but the fact is, reality works as I've described.

I was (and still am) trying to illustrate the "physical reality" that exists independent of the concept of personal liberty.

It can be argued in many different ways, but the actual, consequential mechanisms regarding a person's "rights" are enforced at a legal level, and are done so at the discretion of the state. Reality does work, therefore, as I've described, regardless of what eloquent points you might make about the innate personal liberties each person is "born with". This is my "clear" argument.

> Reality does work, therefore, as I've described, regardless of

Holy tautological christ, batman!

> "physical reality" that exists independent of the concept of personal liberty

How about gay rights? Or reproductive rights? Or the right to use Uber? To argue ideology does not impact our legal system is frighteningly ignorant.

It seems evident that if enough people feel entitled to something (justly or not) it's possible the state is forced to adapt or not enforce unpopular laws. The state influencing society and society influencing the state are not mutually exclusive.

You're the second person to claim tautology, but you've both been wrong. "Reality works as I've described" is not tautological. "Reality works as reality works" is tautological. "As I've described is as I've described" is tautological. I'm further asserting, beyond the givens, that what I've described presents a difference from alternative conclusions, and what I've described represents the set of physical laws of this universe, rather than the ideological so-called "rules" of society, which are not enforced via the physical laws of this universe.

We're talking about "rights" in the context of "what can and can't be done", and I'm concluding that what some people are claiming as "unalienable" or "innate" aren't actually so.

It doesn't matter how many people "feel entitled" to anything. It does not seem that the state is "forced" to do anything. The state can choose to act and behave a certain way, but "forced" is simply wrong, as a way to describe how the state behaves. "Influence" is more accurate, certainly.

It may feel "wrong" or "bad", the fact that the state maintains absolute control, but it's true. Only through the grace of the state's benevolence does the influence of individuals or groups matter. The state gives you many ways to move through its control, and is generally benevolent, but not because it has to be.


> Real talk. Did you have daddy issues growing up?

Personal attacks are not allowed on HN. We ban accounts that do this, so please don't do this.

I feel like you're trying to make a point but I'm not sure what it is.

My post made no mention of expectations to rights or liberties. My point was the document intended to place limits on the government isn't very objective. And from one perspective - seemingly useless.


What an absurd plunge. Please don't turn any more HN threads into flamewars.

We detached this subthread from https://news.ycombinator.com/item?id=11169887 and marked it off-topic.

You are right. Intelligent minds have only existed for a few dozen years. Nothing can be learned from the thinkers of the distant past (anything beyond 31 years, in my very personal experience). /s

No offense, but your ideas deserve criticism, if not only for the overtones of hate on religion & God. (I say this as a Christian athiest.)

...a Christian athiest [sic].

I have not seen this phrase before. Do you mean that you are culturally Christian, but don't believe in a higher power?

Yes. Thanks for respectful reply. (Contrasting the deleted, hateful comments.)

I say it from a point of indoctrination. I have felt "God", just as I was sure Santa existed. I can never rid myself of the past, where I thought the Christian God was the only truth.

and... yes, it is partly meant to be tongue in cheek. :)

>if not only for the overtones of hate on religion & God. (I say this as a Christian athiest.)

and? Why should they have special protection over things? Why cannot some other made up, modified over the years stories be held in such high regard?

Hate is retarded. Reason is golden.

I was critcizing the hatred. The object of the hate is unimportant. Drop the emotion and share the logic. The OP's entire rant was an unfounded strawman attack on religion.

> I was critcizing the hatred. The object of the hate is unimportant. Drop the emotion and share the logic. The OP's entire rant was an unfounded strawman attack on religion.

No it wasn't. That was a side point. The main point was that the constitution isn't Gospel -- we can change it and shouldn't treat it as perfect.

You are right. I got a bit carried away...

There is no reason when it comes to worshiping imaginary beings or hero worshiping people like Jesus Christ. That's not the home of reason, and no my "rant" was not an unfounded straw-man attack on religion. My "rant" was a pretty well founded "rant" on the basis of God or other founding myths used to try to control people with real power.


"Virtually all modern scholars of antiquity agree that Jesus existed historically"

It's not about intelligent minds, sure they were intelligent enough to reason about certain things from the political bias of rich white men about the stuff going on in their lives in the 1700s; for example gun rights. It's about the relevance of any idea and their implications. And running entires societies and systems on the basis of principles created by men who have very little do with most of the people around today. And holding those ideas as the hallmark of society is a bit much.

As for religion see: https://www.youtube.com/watch?v=mJM5mipwebw

People haven't fundamentally changed since 1779. The main drivers of human action remain the same.

You might really not like this part: the constitution was based on documents and governments predating it by thousands of years.

The main drivers of human action remain the same.

Scientific (and to a lesser degree, philosophical) understanding of these drivers has changed significantly, though. Further, the breadth of actions available has increased dramatically with technology, and as such it is reasonable to revisit some of the decisions made 200+ years ago from time to time.

I agree, but I think your position excludes the existance of "unknown unknowns". What really drives us?

I think it's enough that we have more "known knowns" now than 200 years ago. We have an insane amount of knowledge that wasn't available then.

We have neurology, neurochemistry, neuropsychology, etc. to help us understand human motivations and behaviors.

We have evolution to explain human origins, and evolutionary psychology, while very much in its early stages, to identify the origins of behaviors.

We have physics, materialism, and philosophy to suggest the lack of dualistic free will, which completely alters the way we should view crime and punishment.

And for the unknown unknowns, we have modern understandings of statistics and risk analysis coupled with the scientific method. Bayes' theorem was developed before the founding of the USA[0], and yet still, 250 years later, is not well incorporated into law and political strategy.

So maybe what really drives people hasn't changed, but our understanding thereof really, really has. A lot.

[0] https://en.wikipedia.org/wiki/Bayes'_theorem#History

Just on the philosophy point - Materialism as a philosophical subject was developed well before 1779, and was a major argument during the enlightenment so would have been understood by a lot of the constitutional convention.

> Christian athiest

This is the dumbest thing that I have read today.

Nope, still the dumbest thing I've read today. That is basically the position of not being an asshole renamed to sound like, well, a religion.

Well, you hurt my feelings. Congrats.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact